On 5/2/06, Michael Pratt <[EMAIL PROTECTED]> wrote:
The problem was with the directory server (5.2 patch 4, Solaris 8) and how it handles client certificates (or possibly in how we created the certificates). Apparently if the same DS machine receives two certifcates at the same time with the same serial number value, only one will be succesfully processed and the other will return the error above. This was pointed out to us by a Sun engineer, and it wasn't clear if this is a bug in the version or if this is how DS was intended to work. Regardless, once we changed each user's cert to have a unique serial number the problem dissapeared.
It is an error to have multiple certificates issued by the same CA (name) with the same serial number. This is why Mozilla throws a (completely unhelpful for diagnosis) error message whenever it comes across multiple certs with the same serial from the same issuer. It is intended behavior. (If you issue a CRL, it merely lists the serial numbers that have been revoked. If multiple certificates have the same serial number, then all of them would be revoked at the same time. If that's what you want to happen, the appropriate method is to create a sub-CA that issues all the certs that you want to revoke at the same time, and then revoke the sub-CA's certificate when it's time to kill the authentication mechanism.) -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
